Web services may be employed using a service oriented architecture (“SOA”) based system having Web services components (e.g., a Web service requester/user and a Web service provider) respectively operating at end points in different domains at different access permission levels, typically in different security classification access permission level domains. Such a multiple level security (“MLS”) or multiple independent level of security (“MILS”) environment, requires executing service calls and passing information through secure channels. Such a secure channel may be a part of a cross-domain security (“CDS”) system. The CDS system may comprise a trusted guard, such as a high assurance guard (“HAG”) in order to maintain information access integrity (security). High assurance guards typically are built to permit one way communication channels only, in order to prevent such security lapses as leakage, probing, and inadvertent passing of classified information into a domain of lower classification clearance level. The HAG in allowing for only one way communication from the lower access permission level to the higher access permission level, may to prevent such things as browsing through the higher access permission level domain from lower access permission level domain, or even vice-versa. This one way communication may, therefore, be in either direction across the domain boundary through the HAG.
HAGs may also unwrap messages and review content, e.g., by applying key word tests or other rules or logic, well known in the art, to automatically, or with human intervention, block the passage of a message from a higher access permission level domain (e.g., a higher security classification access permission level) to the lower access permission level domain (e.g., a lower security classification access permission level). Content may also be evaluated in messages from the lower level domain to the higher level domain, e.g., to keep out viruses, spyware and the like.
The HAG may make determinations, such as through examining the content of a bypass object, to evaluate whether the information being transferred is of appropriate classification to leave the higher classified domain and enter the lower classified domain. Security guard algorithms may rely on such information as indicated by such as the bypass object, such as the format of the data, and, e.g., verify that specified fields contain specific values before allowing transfer. Other rules, criteria, algorithms and the like may be used as filters/screens.
A multilevel security computer system such as a HAG may thus be used to communicate between different security domains, such as from the NIPRNet to the SIPRNet, utilizing, e.g., a Controlled Interface (“CI”) between security levels. A controlled interface may function as a multilevel security system used to transfer low-classification data between security domains. Multilevel security may function to apply computer processing of information with different sensitivities (i.e., at different security levels), and as noted above, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization.
The data to be transferred between different security level domains may theoretically move in either direction, however in most HAGs the communication protocols are most often modified, such as to only allow one way transfers of messages/data in transferring the information. This facilitates the HAG being able to control the establishment of and to monitor the substance of communication between a requester of information and a provider of information across the domain boundary. The controlled interface ensures the HAGs ability to perform its screening role, and also prevent such security leaks as unauthorized browsing, and the like.
A normal protocol over a networked communication system such as the Internet comprises the transfer of a request for information along with a return address for the information to be returned to the requester by the provider. As such, it will not pass through a HAG. Among other ways to block two way communication through the cross-domain security system such as a HAG, the return address will be stripped. This constraint is thus incompatible with common networking protocols (such as transfer control protocol/internet protocol or TCP/IP) and higher level constructs built on this construct (including many used for publishing, discovery, initiating and performing Web services). Among other things the protocols depending on two-way message communication to, among other things, verify message receipt and identify response destination are stymied.
Security clearance, such as governmental/military classifications like “CLASSIFIED”, “SECRET” AND “TOP SECRET”, etc. are not the only access permission criteria that may be enforced with a cross-domain security system such as a trusted guard, e.g., a HAG. There may also be other reasons within or between local area networks (“LANs”) and wide area networks (“WANs”), including the Internet, and also including intranet domains, and sub-domains of any of these, for differing levels of access permission. For example, within a company, personnel records may be classified with restricted access, but various parts of the company may need to be provided with limited access to such files and the information contained in them.
In order to build and implement Web services architectures, such as can implement a SOA, and pass such information as needed for the Web service user and Web service provider to interact remotely over some network, Web service providers located at endpoints in one access permission level domain, which are permitted to accept requests from a Web service user/requester located in another access permission level domain, need to be able to expose (i.e., advertise) their availability and capability(ies) and performance characteristics and the like in the other access permission level domain (referred to in the present application as “publishing”). As noted, typically, but not always, the other access permission level domain will have lower level of access permission (less stringent criteria for access), e.g., for governmental/military security classification clearance, a lower level of security clearance and thus access permission.
In addition to publishing their availability, as part of publishing their capabilities and performance characteristics, they also need, at a minimum, to expose their service contracts in a fashion that is usable, e.g., by automated software tooling to generate client side bindings and permit service orchestration in an appropriate manner. There is a need to allow sharing of information that should be unclassified between a classified security domain and a security domain of lower classification. Such sharing may be, by way of example, information in and of itself that would not be classified if it were not within a file/folder in, e.g., a domain served by a more highly classified, such as “SECRET,” system high machine. There is a need to allow cross-domain sharing of Web services information, including such publishing, between domains of differing classification.
Thus, by way of example, in the field of law enforcement, information about an individual being investigated may itself not be classified, but the source of the information may be, so that access to documents revealing both the information and the source is limited by the security classification. As another example in the field of supply management, the fact that supplier X can deliver a certain component with certain price, delivery schedule, etc. may not in and of itself be classified, but the fact this information comes from a document that indicates the part is currently being used/tested in a classified weapons system project under development may be. The fact that a certain system is under development or in existence may also in and of itself be classified, so that documents mentioning such system, even containing other unclassified information may be classified. As mentioned, communication from a lower classification domain may be desirably limited as well, such as to block the transmission of viruses and the like into the higher classification domain from the lower classification domain.
Discovery is the act of locating a machine-processable description of a Web service-related resource (Web service provider) that may have been previously unknown and that meets certain functional criteria. Discovery may be utilized to match a set of functional and other criteria with a set of resource descriptions. The goal is to find an appropriate Web service and a Web service provider. Discovery, the analog to publishing, like searching with a search engine, whether solely through an automated Internet tool or involving human interaction, also cannot occur across a cross-domain security system. Utilization of a discovery service, which may utilize agents, automated or human or partly both, to retrieve Web service information such as a Web service-related resource description, is blocked across the domain boundary.
Such publishing and discovery of a particular Web service end point from a collection of possible Web service provider end points is thus currently not possible through a cross-domain security system, such as a trusted guard, such as a HAG.
There is, therefore, a need for a system and method allowing for Web service publishing and/or discovery that operates across domains with a trusted guard interface such as a one way controlled interface, such as a HAG.
Once the Web service requester and provider are linked, a system such as disclosed in co-pending U.S. Published Patent Application No. 20080307101, published on Dec. 11, 2008, entitled METHOD AND APPARATUS FOR EXECUTING WEB SERVICES THROUGH A HIGH ASSURANCE GUARD can enable the provision and utilization of the service over the communication medium, such as the Internet even through a cross-domain security system, such as a HAG.